What is a SOC 2 Audit?

A SOC 2 audit is an audit of a service organization’s non-financial reporting controls as they relate to the Trust Services Criteria – the security, availability, processing integrity, confidentiality, and privacy of a system.

A SOC 2 audit report provides user entities with reasonable assurance and peace of mind that the non-financial reporting controls at a service organization are suitably designed, in place, and appropriately protecting sensitive client data. Below, we explore the two types of SOC 2 audit reports.

How is a SOC 2 audit different from a SOC 1 audit? Watch our SOC 1 vs SOC 2 video or explore our guide to find out!

SOC 2 Type I vs. Type II: What’s the Difference?

AspectSOC 2 Type 1SOC 2 Type 2
ObjectiveTo assess the design of controls at a specific point in time.To evaluate the operational effectiveness of controls over a period of time.
Focus on TimeExamines controls as of a specific date.Examines controls over a minimum period of six months.
Nature of AuditPoint-in-time assessment.Period-of-time assessment.
Evaluation of ControlsAssesses if the company’s controls are properly designed to meet the Trust Services Criteria.Assesses both the design and the operational effectiveness of the controls.
Report LengthGenerally shorter, as it only covers the design of controls at a single point.Generally longer, as it covers the operation of controls over a period of time.
UsefulnessUseful for organizations that want to demonstrate they have a system in place with designed controls.Useful for organizations that want to show their controls are not only designed properly but also operating effectively over time.
AudiencePotential clients, partners, and stakeholders interested in the design of controls.Potential clients, partners, and stakeholders interested in the effectiveness of controls over time.
Frequency of AuditTypically performed once as a preliminary assessment.Performed annually or as required by stakeholders.
CostGenerally less expensive due to the narrower scope.More expensive due to the extended period of evaluation and more comprehensive nature.
Ideal ForNewer companies or those in the early stages of implementing a SOC program.Established companies with mature controls looking to demonstrate effectiveness over time.
Report ContentDescribes the systems and whether the design of specified controls meets the relevant Trust Services Criteria as of a specific date.Includes the information in Type 1 and also describes the operating effectiveness of controls over a review period.
Trust Services CriteriaSecurity, Availability, Processing Integrity, Confidentiality, and Privacy.Security, Availability, Processing Integrity, Confidentiality, and Privacy.
Certification ValidityNo ongoing validity; it’s a snapshot in time.Provides ongoing assurance about the system, valid for the duration of the audit period.

SOC 2 Type I and Type II both report on the non-financial reporting controls and processes at a service organization as they relate to the Trust Services Criteria. There are many other similarities between SOC 2 Type I and SOC 2 Type II reports, but there is one key difference.

What is a SOC 2 Type I Report?

A SOC 2 Type I report—also written SOC 2 Type 1—is an attestation of controls at a service organization at a specific point in time. SOC 2 Type I reports on the description of controls provided by the management of the service organization and attests that the controls are suitably designed and implemented.

What is a SOC 2 Type II Report?

A SOC 2 Type II report—also written SOC 2 Type 2—is an attestation of controls at a service organization over a minimum six-month period. SOC 2 Type II reports on the description of controls provided by the management of the service organization, attests that the controls are suitably designed and implemented, and attests to the operating effectiveness of the controls.

During a SOC 2 Type II audit, the auditor will carry out field work on a sample of days across the testing period to observe how controls are implemented and how effective they are.

As you can see, the key difference between SOC 2 Type I and SOC 2 Type II reports is that Type II reports are conducted over a significantly longer period. This allows Type II reports to attest to control effectiveness, something that is not possible with the shorter Type 1 report, which can only attest to the suitability of design and implementation.

Which SOC 2 Compliance Report Is Right for Your Business?

As a CPA firm, we advise clients who are engaging in a SOC 2 audit for the first time to begin with a Type I and move on to a Type II the following audit period. This gives service organizations a good starting point and more time to focus on the description of their system, allowing them to mature their environment over time.

Start Your SOC 2 Audit Journey with KirkpatrickPrice Today

Many organizations are required to undergo a third-party SOC 2 audit, but we know this process can feel overwhelming. That’s why we’re here to partner with your organization from audit readiness to final report! If you have questions about which type of SOC report you need or want help demonstrating to your clients your commitment to security and compliance, connect with one of our experts today.

More SOC 2 Resources

SOC 2 Academy 

SOC 2 Compliance Checklist

Understanding Your SOC 2 Report 

SOC 2 Compliance Handbook: The 5 Trust Services Criteria 

What’s The Difference Between SOC 1, SOC 2, and SOC 3?

Starting a SOC 2 audit can be overwhelming. 

You know you need a SOC 2 audit, but don’t know what to expect or how to get started. The SOC 2 Compliance Checklist below will prepare you for what your auditors look for and how to confidently begin your SOC 2 compliance journey.

What is a SOC 2 Compliance Audit?

A SOC 2 audit attests that the system or service you provide to your clients is secure, trustworthy, and prepared to handle risks. This attestation is achieved through a quality examination of your people, processes, and technologies by an experienced, licensed CPA firm.

A SOC 2 audit validates your organization’s commitment to delivering high quality, secure services to your clients.

What’s Included in the SOC 2 Compliance Checklist?

This exclusive SOC 2 compliance checklist, prepared by KirkpatrickPrice’s SOC 2 compliance professionals, outlines the specifics of each system component that will be evaluated during your SOC 2 audit.

The SOC 2 Checklist will cover:

  • The Trust Services Criteria
  • The system components evaluated in your audit
  • Which policies and procedures need to be in place
  • Average length of a SOC 2 audit
  • Answers to frequently asked SOC 2 questions

What Makes a SOC 2 Audit Successful?

After completing your SOC 2 audit, you might have concerns about completing it correctly. Here are four main metrics to help you evaluate a SOC 2 audit’s success:

Receiving C-Level Support

C-level executives and stakeholders must understand and support the audit as it relates to the organization’s information security needs. Without it, how can the business implement policies or procedures, approve funding, or drive the audit’s outcome?

Authentically Taking Company-wide Action

While SOC 2 audits help strengthen and enhance a business, many organizations fall hesitant to the lengthy process and overlook the benefits as a result. An audit isn’t something to be completed haphazardously. Instead, a business should perceive audits as an opportunity to improve internal processes, security, and organizational wellness amongst staff.

For example, a quality SOC 2 audit could have helped Clorox take action and avoid a significant cybersecurity breach. Unfortunately, few companies value cybersecurity enough to include security experts on their board, despite its requirement of information security compliance frameworks. A successful audit helps companies remain vigilant in safeguarding their organization from the threat of a breach.

Using Compliance as a Competitive Advantage

When an organization leverages compliance achievements as a competitive edge, they take full advantage of the achievement, incorporating audit insights into marketing materials and sales conversations.

The opportunities are endless when you can demonstrate that you care about your customers’ data and have the evidence to prove it.

Continuing the SOC 2 Journey

After completing a SOC 2 audit for the first time, many of our clients agree the process was difficult but worth it.

By following remediation guidance, you can proactively prepare for the next audit. They know what to expect, how to use the Online Audit Manager, how to build a stronger information security program, and can show their auditor all the improvements made every year.

Keep in mind, you don’t have to have everything perfectly in place to start your audit.  This checklist should just be a tool to help you prepare for your audit.  If you need help putting controls in place, contact one of our experts today! We want to make sure you feel ready to successfully complete your SOC 2 audit.

Prepare to successfully start and complete your SOC 2 audit by downloading the SOC 2 Compliance Checklist!

NorthStar Education Services, a student financial aid and payment company, today announced that it has completed its SOC 2 Type II audit, performed by KirkpatrickPrice. This attestation provides evidence that NorthStar Education Services has a strong commitment to security and to delivering high-quality services to its clients by demonstrating that they have the necessary internal controls and processes in place.

SOC 2 audit provides an independent, third-party validation that a service organization’s information security practices meet industry standards stipulated by the AICPA. During the audit, a service organization’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system are tested. The SOC 2 report delivered by KirkpatrickPrice verifies the suitability of the design and operating effectiveness of NorthStar Education Services’s controls to meet the standards for these criteria.

Taige Thornton, President of NorthStar Education Services, said, “All organizations should ask for SOC reporting from their outsourced service vendors. Whether a vendor can provide a SOC report is a serious risk component that companies need to consider during any vendor due diligence analysis.”

“The SOC 2 audit is based on the Trust Services Criteria,” said Joseph Kirkpatrick, President of KirkpatrickPrice. “NorthStar Education Services delivers trust-based services to their clients, and by communicating the results of this audit, their clients can be assured of their reliance on NorthStar Education Services’s controls.”

About NorthStar Education Services
NorthStar Education Services is an affiliate of Ascendium Education Group. For 50 years, our focus has been to deliver industry leading tools to support educational accessibility and success through student loan repayment, employee benefit/payment assistance, next generation financial wellness and education loan refinancing programs.

About KirkpatrickPrice

KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over a thousand clients in North America, South America, Asia, Europe, and Australia. The firm has more than a decade of experience in information security by performing assessments, audits, and tests that strengthen information security practices and internal controls. KirkpatrickPrice most commonly performs assessments on SOC 1, SOC 2, PCI DSS, HIPAA, HITRUST CSF, GDPR, ISO 27001, FISMA, and FERPA frameworks, as well as advanced-level penetration testing. For more information, visit https://kirkpatrickprice.com, follow KirkpatrickPrice on LinkedIn, or subscribe to our YouTube channel.

What are the Trust Services Criteria?

Once your organization has decided that you are ready to pursue a SOC 2 attestation, the first thing you have to decide is which of the five Trust Services Criteria (TSP) you want to include in your SOC 2 audit report. Becoming familiar with the categories of security, availability, confidentiality, processing integrity, and privacy should be one of the first steps in your scoping process. On a basic level, you can think about the Trust Service Criteria in terms of these concepts:

  • Security – Is the system protected, both physically and logically, against unauthorized access?
  • Availability – Is the system available for operation and use as agreed upon?
  • Confidentiality – Is the information that’s designated as confidential protected as agreed upon?
  • Processing Integrity – Are the processing services provided in a complete, accurate, and timely, manner?
  • Privacy – Is personal information collected, used, retained, disclosed, and destroyed in accordance with the service organization’s privacy notice and business objectives?

Which Trust Services Criteria Apply to My Organization?

Security is the category that applies to all engagements and is what the remaining Trust Services Criteria are based on. In a non-privacy SOC 2 engagement, the security category must be included. The security category consists of the complete set of the common criteria, which integrate with the 2018 COSO Internal Control — Integrated Framework. The common criteria are categorized based on the following:

  • Control environment
  • Communication and information
  • Risk assessment
  • Monitoring activities
  • Control activities
  • Logical and physical access controls
  • System operations
  • Change management
  • Risk mitigation

It’s important to note, though, that your organization isn’t required to address all five of the Trust Services Criteria in our SOC 2 report; however, you should select the categories that are relevant to the services that you provide to your clients. So, aside from security, which apply to your organization: availability, processing integrity, confidentiality, and/or privacy?

Are you considering going through an information security audit for the first time? Are you contemplating a requirement for all of your vendors to undergo information security audits? Are you looking for an auditing firm who can help your organization utilize the benefits of auditing? Do you need help explaining the value of information security audits to executive management? Are you trying to cultivate a culture of compliance within your organization? We’re here to help.

What are the Advantages to Auditing?

Many people are intimidated by the requirements, price, and efforts of auditing, but we believe the benefits outweigh the cost. Yes, undergoing information security audits is a challenging and time-consuming process for most organizations, but our Information Security Specialists aim to educate clients on the value that attestations and compliance can bring to their business, which range from competitive advantages to reputational improvement. When your organization has completed an information security audit and gained compliance, the challenges you faced will be worth it.

However, getting executives on board with undergoing information security audits can be challenging, because many organizations are fearful of the process. We see many organizations get stuck in the checkbox mentality, where they view auditing as an item to be checked off a list rather than understanding the purpose and benefits. At KirkpatrickPrice, we want to be your audit partner, not just an item to check off on a list. We want to walk through this audit lifecycle with you, enhancing your business by placing security and compliance at the forefront of the current threat landscape.

Are you ready to get started on securing your business? Do you want to ensure your security posture is as strong as possible? Do you want to see how your mindset toward auditing can change over a three-year period? KirkpatrickPrice offers a wide variety of information security testing and auditing services. To learn more, contact a KirkpatrickPrice information security specialist today.